mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

refactor: move lan ip information to globals

Browse source
This commit is contained in:
oddlama 2024-06-10 15:49:34 +02:00
parent 859e3d1771
commit def57cfc61
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
18 changed files with 163 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hosts/sire/default.nix
View file

@ -112,7 +112,9 @@
backend = "container"; backend = "container";
container.macvlan = "lan"; container.macvlan = "lan";
extraSpecialArgs = { extraSpecialArgs = {
inherit lib nodes inputs minimal; inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal;
}; };
}; };
}; };

5
hosts/sire/guests/grafana.nix
View file

@ -118,10 +118,9 @@ in {
proxyPass = "http://grafana"; proxyPass = "http://grafana";
proxyWebsockets = true; proxyWebsockets = true;
}; };
# FIXME: refer to lan 192.168... and fd10:: via globals
extraConfig = '' extraConfig = ''
allow 192.168.1.0/24; allow ${globals.net.home-lan.cidrv4};
allow fd10::/64; allow ${globals.net.home-lan.cidrv6};
deny all; deny all;
''; '';
}; };

5
hosts/sire/guests/immich.nix
View file

@ -224,11 +224,10 @@ in {
proxyPass = "http://immich"; proxyPass = "http://immich";
proxyWebsockets = true; proxyWebsockets = true;
}; };
# FIXME: refer to lan 192.168... and fd10:: via globals
extraConfig = '' extraConfig = ''
client_max_body_size 10G; client_max_body_size 10G;
allow 192.168.1.0/24; allow ${globals.net.home-lan.cidrv4};
allow fd10::/64; allow ${globals.net.home-lan.cidrv6};
deny all; deny all;
''; '';
}; };

5
hosts/sire/guests/influxdb.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
pkgs, pkgs,
@ -33,8 +34,8 @@ in {
{ {
method = "native"; method = "native";
urls = [ urls = [
"192.168.178.1" globals.net.home-wan.hosts.fritzbox.ipv4
"192.168.1.1" globals.net.home-lan.hosts.ward.ipv4
]; ];
tags.type = "internal"; tags.type = "internal";
fieldpass = [ fieldpass = [

5
hosts/sire/guests/paperless.nix
View file

@ -61,11 +61,10 @@ in {
virtualHosts.${paperlessDomain} = { virtualHosts.${paperlessDomain} = {
forceSSL = true; forceSSL = true;
useACMEWildcardHost = true; useACMEWildcardHost = true;
# FIXME: refer to lan 192.168... and fd10:: via globals
extraConfig = '' extraConfig = ''
client_max_body_size 512M; client_max_body_size 512M;
allow 192.168.1.0/24; allow ${globals.net.home-lan.cidrv4};
allow fd10::/64; allow ${globals.net.home-lan.cidrv6};
deny all; deny all;
''; '';
locations."/" = { locations."/" = {

3
hosts/sire/guests/samba.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
... ...
}: let }: let
@ -155,7 +156,7 @@ in {
# Deny access to all hosts by default. # Deny access to all hosts by default.
"hosts deny = 0.0.0.0/0" "hosts deny = 0.0.0.0/0"
# Allow access to local network and TODO: wireguard # Allow access to local network and TODO: wireguard
"hosts allow = 192.168.1.0/24 fd10::/64" "hosts allow = ${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}"
# Don't advertise inaccessible shares to users # Don't advertise inaccessible shares to users
"access based share enum = yes" "access based share enum = yes"

14
hosts/sire/net.nix
View file

@ -1,11 +1,15 @@
{config, ...}: { {
config,
globals,
...
}: {
networking.hostId = config.repo.secrets.local.networking.hostId; networking.hostId = config.repo.secrets.local.networking.hostId;
boot.initrd.systemd.network = { boot.initrd.systemd.network = {
enable = true; enable = true;
networks."10-lan" = { networks."10-lan" = {
address = ["192.168.1.2/24"]; address = [globals.net.home-lan.hosts.sire.cidrv4];
gateway = ["192.168.1.1"]; gateway = [globals.net.home-lan.hosts.ward.ipv4];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
networkConfig = { networkConfig = {
IPv6PrivacyExtensions = "yes"; IPv6PrivacyExtensions = "yes";
@ -42,8 +46,8 @@
''; '';
}; };
"20-lan-self" = { "20-lan-self" = {
address = ["192.168.1.2/24"]; address = [globals.net.home-lan.hosts.sire.cidrv4];
gateway = ["192.168.1.1"]; gateway = [globals.net.home-lan.hosts.ward.ipv4];
matchConfig.Name = "lan-self"; matchConfig.Name = "lan-self";
networkConfig = { networkConfig = {
IPv6PrivacyExtensions = "yes"; IPv6PrivacyExtensions = "yes";

5
hosts/ward/default.nix
View file

@ -4,7 +4,6 @@
inputs, inputs,
lib, lib,
minimal, minimal,
nodes,
... ...
}: { }: {
imports = [ imports = [
@ -99,7 +98,9 @@
backend = "container"; backend = "container";
container.macvlan = "lan"; container.macvlan = "lan";
extraSpecialArgs = { extraSpecialArgs = {
inherit lib nodes inputs minimal; inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal;
}; };
}; };
}; };

2
hosts/ward/guests/adguardhome.nix
View file

@ -84,7 +84,7 @@ in {
# Use the local mirror-proxy for some services (not necessary, just for speed) # Use the local mirror-proxy for some services (not necessary, just for speed)
++ map (domain: { ++ map (domain: {
inherit domain; inherit domain;
answer = "192.168.1.4"; answer = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
}) [ }) [
# FIXME: dont hardcode, filter global service domains by internal state # FIXME: dont hardcode, filter global service domains by internal state
globals.services.grafana.domain globals.services.grafana.domain

13
hosts/ward/guests/web-proxy.nix
View file

@ -1,4 +1,8 @@
{config, ...}: let {
config,
globals,
...
}: let
inherit (config.repo.secrets.local) acme; inherit (config.repo.secrets.local) acme;
fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}"; fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
in { in {
@ -35,7 +39,7 @@ in {
services.nginx = { services.nginx = {
upstreams.fritzbox = { upstreams.fritzbox = {
servers."192.168.178.1" = {}; servers.${globals.net.home-wan.hosts.fritzbox.ipv4} = {};
extraConfig = '' extraConfig = ''
zone grafana 64k; zone grafana 64k;
keepalive 2; keepalive 2;
@ -50,11 +54,10 @@ in {
}; };
# Allow using self-signed certs. We just want to make sure the connection # Allow using self-signed certs. We just want to make sure the connection
# is over TLS. # is over TLS.
# FIXME: refer to lan 192.168... and fd10:: via globals
extraConfig = '' extraConfig = ''
proxy_ssl_verify off; proxy_ssl_verify off;
allow 192.168.1.0/24; allow ${globals.net.home-lan.cidrv4};
allow fd10::/64; allow ${globals.net.home-lan.cidrv6};
deny all; deny all;
''; '';
}; };

19
hosts/ward/kea.nix
View file

@ -1,13 +1,11 @@
{ {
lib, lib,
globals,
utils, utils,
nodes, nodes,
... ...
}: let }: let
inherit (lib) net; inherit (lib) net;
lanCidrv4 = "192.168.1.0/24";
dnsIp = net.cidr.host 3 lanCidrv4;
webProxyIp = net.cidr.host 4 lanCidrv4;
in { in {
environment.persistence."/persist".directories = [ environment.persistence."/persist".directories = [
{ {
@ -36,35 +34,36 @@ in {
option-data = [ option-data = [
{ {
name = "domain-name-servers"; name = "domain-name-servers";
data = dnsIp; data = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
} }
]; ];
subnet4 = [ subnet4 = [
{ {
id = 1; id = 1;
interface = "lan-self"; interface = "lan-self";
subnet = lanCidrv4; subnet = globals.net.home-lan.cidrv4;
pools = [ pools = [
{pool = "${net.cidr.host 20 lanCidrv4} - ${net.cidr.host (-6) lanCidrv4}";} {pool = "${net.cidr.host 20 globals.net.home-lan.cidrv4} - ${net.cidr.host (-6) globals.net.home-lan.cidrv4}";}
]; ];
option-data = [ option-data = [
{ {
name = "routers"; name = "routers";
data = net.cidr.host 1 lanCidrv4; # FIXME: how to advertise v6 address also? data = globals.net.home-lan.hosts.ward.ipv4; # FIXME: how to advertise v6 address also?
} }
]; ];
# FIXME: map this over globals.guests or smth. marker tag for finding: ipv4 192.168.1.1
reservations = [ reservations = [
{ {
hw-address = nodes.ward-adguardhome.config.lib.microvm.mac; hw-address = nodes.ward-adguardhome.config.lib.microvm.mac;
ip-address = dnsIp; ip-address = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
} }
{ {
hw-address = nodes.ward-web-proxy.config.lib.microvm.mac; hw-address = nodes.ward-web-proxy.config.lib.microvm.mac;
ip-address = webProxyIp; ip-address = globals.net.home-lan.hosts.ward-web-proxy.ipv4;
} }
{ {
hw-address = nodes.sire-samba.config.lib.microvm.mac; hw-address = nodes.sire-samba.config.lib.microvm.mac;
ip-address = net.cidr.host 10 lanCidrv4; ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
} }
]; ];
} }

53
hosts/ward/net.nix
View file

@ -1,21 +1,41 @@
{ {
config, config,
lib, globals,
... ...
}: let }: {
lanCidrv4 = "192.168.1.0/24";
lanCidrv6 = "fd10::/64";
in {
networking.hostId = config.repo.secrets.local.networking.hostId; networking.hostId = config.repo.secrets.local.networking.hostId;
globals.net = {
home-wan = {
cidrv4 = "192.168.178.0/24";
hosts.fritzbox.id = 1;
hosts.ward.id = 2;
};
home-lan = {
cidrv4 = "192.168.1.0/24";
cidrv6 = "fd10::/64";
hosts.ward.id = 1;
hosts.sire.id = 2;
hosts.ward-adguardhome.id = 3;
hosts.ward-web-proxy.id = 4;
hosts.sire-samba.id = 10;
};
proxy-home = {
cidrv4 = "10.44.0.0/24";
cidrv6 = "fd00:44::/120";
};
};
boot.initrd.systemd.network = { boot.initrd.systemd.network = {
enable = true; enable = true;
networks = { networks = {
inherit (config.systemd.network.networks) "10-wan"; inherit (config.systemd.network.networks) "10-wan";
"20-lan" = { "20-lan" = {
address = [ address = [
(lib.net.cidr.hostCidr 1 lanCidrv4) globals.net.home-lan.hosts.ward.cidrv4
(lib.net.cidr.hostCidr 1 lanCidrv6) globals.net.home-lan.hosts.ward.cidrv6
]; ];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.lan.mac;
networkConfig = { networkConfig = {
@ -59,16 +79,16 @@ in {
#dhcpV4Config.UseDNS = false; #dhcpV4Config.UseDNS = false;
#dhcpV6Config.UseDNS = false; #dhcpV6Config.UseDNS = false;
#ipv6AcceptRAConfig.UseDNS = false; #ipv6AcceptRAConfig.UseDNS = false;
address = ["192.168.178.2/24"]; address = [globals.net.home-wan.hosts.ward.cidrv4];
gateway = ["192.168.178.1"]; gateway = [globals.net.home-wan.hosts.fritzbox.ipv4];
matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac; matchConfig.MACAddress = config.repo.secrets.local.networking.interfaces.wan.mac;
networkConfig.IPv6PrivacyExtensions = "yes"; networkConfig.IPv6PrivacyExtensions = "yes";
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
"20-lan-self" = { "20-lan-self" = {
address = [ address = [
(lib.net.cidr.hostCidr 1 lanCidrv4) globals.net.home-lan.hosts.ward.cidrv4
(lib.net.cidr.hostCidr 1 lanCidrv6) globals.net.home-lan.hosts.ward.cidrv6
]; ];
matchConfig.Name = "lan-self"; matchConfig.Name = "lan-self";
networkConfig = { networkConfig = {
@ -81,7 +101,7 @@ in {
}; };
# Announce a static prefix # Announce a static prefix
ipv6Prefixes = [ ipv6Prefixes = [
{ipv6PrefixConfig.Prefix = lanCidrv6;} {ipv6PrefixConfig.Prefix = globals.net.home-lan.cidrv6;}
]; ];
# Delegate prefix # Delegate prefix
dhcpPrefixDelegationConfig = { dhcpPrefixDelegationConfig = {
@ -90,7 +110,7 @@ in {
# Provide a DNS resolver # Provide a DNS resolver
ipv6SendRAConfig = { ipv6SendRAConfig = {
EmitDNS = true; EmitDNS = true;
DNS = lib.net.cidr.host 3 lanCidrv6; DNS = globals.net.home-lan.hosts.ward-adguardhome.ipv4;
}; };
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
@ -162,9 +182,12 @@ in {
#}; #};
wireguard.proxy-home.server = { wireguard.proxy-home.server = {
host = "192.168.1.1"; host = globals.net.home-lan.hosts.ward.ipv4;
port = 51444; port = 51444;
reservedAddresses = ["10.44.0.0/24" "fd00:44::/120"]; reservedAddresses = [
globals.net.proxy-home.cidrv4
globals.net.proxy-home.cidrv6
];
openFirewall = false; # Explicitly opened only for lan openFirewall = false; # Explicitly opened only for lan
}; };
} }

1
hosts/zackbiene/esphome.nix
View file

@ -48,7 +48,6 @@ in {
}; };
# TODO dynamic definitions for the "local" network, IPv6 # TODO dynamic definitions for the "local" network, IPv6
extraConfig = '' extraConfig = ''
allow 192.168.0.0/22;
deny all; deny all;
''; '';
}; };

7
hosts/zackbiene/home-assistant.nix
View file

@ -149,7 +149,7 @@ in {
}; };
# Connect to fritzbox via https proxy (to ensure valid cert) # Connect to fritzbox via https proxy (to ensure valid cert)
networking.hosts."192.168.1.4" = [fritzboxDomain]; networking.hosts.${globals.net.home-lan.hosts.ward-web-proxy.ipv4} = [fritzboxDomain];
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
@ -167,10 +167,9 @@ in {
proxyPass = "http://home-assistant"; proxyPass = "http://home-assistant";
proxyWebsockets = true; proxyWebsockets = true;
}; };
# FIXME: refer to lan 192.168... and fd10:: via globals
extraConfig = '' extraConfig = ''
allow 192.168.1.0/24; allow ${globals.net.home-lan.cidrv4};
allow fd10::/64; allow ${globals.net.home-lan.cidrv6};
deny all; deny all;
''; '';
}; };

5
hosts/zackbiene/net.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
... ...
}: let }: let
@ -56,8 +57,8 @@ in {
lan-interface.interfaces = ["lan1"]; lan-interface.interfaces = ["lan1"];
lan = { lan = {
parent = "lan-interface"; parent = "lan-interface";
ipv4Addresses = ["192.168.1.0/24"]; # FIXME: refer to via globals ipv4Addresses = [globals.net.home-lan.cidrv4];
ipv6Addresses = ["fd10::/64"]; # FIXME: refer to via globals ipv6Addresses = [globals.net.home-lan.cidrv6];
}; };
iot.interfaces = ["wlan1"]; iot.interfaces = ["wlan1"];
}; };

1
hosts/zackbiene/zigbee2mqtt.nix
View file

@ -53,7 +53,6 @@ in {
locations."/".proxyPass = "http://zigbee2mqtt"; locations."/".proxyPass = "http://zigbee2mqtt";
# TODO dynamic definitions for the "local" network, IPv6 # TODO dynamic definitions for the "local" network, IPv6
extraConfig = '' extraConfig = ''
allow 192.168.0.0/22;
deny all; deny all;
''; '';
}; };

71
modules/globals.nix
View file

@ -14,12 +14,81 @@ in {
default = {}; default = {};
type = types.submodule { type = types.submodule {
options = { options = {
net = mkOption {
type = types.attrsOf (types.submodule (netSubmod: {
options = {
cidrv4 = mkOption {
type = types.nullOr types.net.cidrv4;
description = "The CIDRv4 of this network";
default = null;
};
cidrv6 = mkOption {
type = types.nullOr types.net.cidrv6;
description = "The CIDRv6 of this network";
default = null;
};
hosts = mkOption {
type = types.attrsOf (types.submodule (hostSubmod: {
options = {
id = mkOption {
type = types.int;
description = "The id of this host in the network";
};
ipv4 = mkOption {
type = types.net.ipv4;
description = "The IPv4 of this host";
readOnly = true;
default =
if netSubmod.config.cidrv4 == null
then null
else lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv4;
};
ipv6 = mkOption {
type = types.net.ipv6;
description = "The IPv6 of this host";
readOnly = true;
default =
if netSubmod.config.cidrv6 == null
then null
else lib.net.cidr.host hostSubmod.config.id netSubmod.config.cidrv6;
};
cidrv4 = mkOption {
type = types.net.cidrv4;
description = "The IPv4 of this host including CIDR mask";
readOnly = true;
default =
if netSubmod.config.cidrv4 == null
then null
else lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv4;
};
cidrv6 = mkOption {
type = types.net.cidrv6;
description = "The IPv6 of this host including CIDR mask";
readOnly = true;
default =
if netSubmod.config.cidrv6 == null
then null
else lib.net.cidr.hostCidr hostSubmod.config.id netSubmod.config.cidrv6;
};
};
}));
};
};
}));
};
services = mkOption { services = mkOption {
type = types.attrsOf (types.submodule { type = types.attrsOf (types.submodule {
options = { options = {
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
description = ""; description = "The domain under which this service can be reached";
}; };
}; };
}); });

7
nix/globals.nix
View file

@ -1,4 +1,4 @@
{ {inputs, ...}: {
flake = { flake = {
config, config,
lib, lib,
@ -7,6 +7,9 @@
globals = let globals = let
globalsSystem = lib.evalModules { globalsSystem = lib.evalModules {
prefix = ["globals"]; prefix = ["globals"];
specialArgs = {
inherit (inputs.self.pkgs.x86_64-linux) lib;
};
modules = [ modules = [
../modules/globals.nix ../modules/globals.nix
({lib, ...}: { ({lib, ...}: {
@ -23,7 +26,7 @@
in { in {
# Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion, # Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion,
# therefore we inherit relevant attributes from the config. # therefore we inherit relevant attributes from the config.
inherit (globalsSystem.config.globals) services; inherit (globalsSystem.config.globals) net services;
}; };
}; };
} }